are the connections between the ACS and external identity stores encrypted?I know that when setting up LDAP identity store there is the option to specify SSL conection. Are the other connections encrypted by default, or is the data sent between the ACS and AD, for example, sent in the clear?
View 3 RepliesI have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
I have a rule based result selection under group mapping. I have two rules in the format below.
Conditon
LDAP:Externalgroups groupname1
Result
Identitygroup1
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.
I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory. I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).
I also have configured ACS to use Active Directory and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.
We use Cisco LMS Prime 4.1 to archive our Cisco Equipment configurations.
Now we want to store the configurations off site.
We are using ACS 5.2 and we are trying to create a Microsoft Active Directory (AD) Identity Store. We have a user to be used in the Active Directory creation General page and we would like to know how the test communication / ACS to AD communication takes place.
Our user is a predefined user in AD and has admin rights, but the password expires every 60 days. Will this affect the communication between AD and ACS 5.2 at everytime the entered user's password expires?
I'm currently looking for a solution in order to restrict the modification of the host internal identity store (add or delete MAC host) per group. The default administrator roles does not include "per group restriction". Under the ACS I defined one group per department? My objective it to allow each department to access their ACS MAC database to add or delete MAC addresses as required.
How to restrict internal identity store per group?Do I need to create new roles? and how?I was not able to get an answer from the ACS ADMIN manual.
We have a ACS 4.3.2 installed with users authenticating against an Active Directory database. The AD database not only authenticate the users but also assigns the group that is used to select IP address pool.Now the requirements require to use token authentication with SafeNet. This authentication uses the same username but the password is composed of the original password + OTP.The problem is that the SafeNet server doesn't return the group membership.I've read about the Identity Store Sequence in ACS 5.x and I think I could use it in the following sequence:! configure an Authentication Sequence using the SafeNet token server (this works with ACS 4.x)I configure an Attribute Retrieval Sequence against the AD database. This would use the username only, no password and would retrieve the group membership.
View 1 Replies View RelatedI am trying to setup PEAP authentication for wireless users but I got stuck at place where I have single ssid and users are store in different identity stores like some will be using their active directory and some are locally created users on ACS. I created separate service for wireless authentication and under that I am unable to create rule to differentiate them with identity stores. any idea how to achieve this.
I tried creating identity selection based on role but it does not work as for protocol like radius.peap,ms-chap ACS does not look for another identity store once user not find in an identity stores.
I have a new techni colour wifi router TG582n which has a usb cobnnection in the side. I also have a new Samsung 400 gig external hard drive can these be linked to make a wifi hard disc store.
View 2 Replies View RelatedI've noticed, that ACS 5.1 is writing .gpg archives for backups. I'm about to upgrade an evaluation system and the Installation and Upgrade Guide tells me to do a full backup and restore in order to upgrade an eval to a production system. [URL] (second note in section "Evaluating ACS 5.1)
Question: can the production system sucessfully decrypt the backup? According to my personal gpg it is CAST5 encrypted with one passphrase. Is this passphrase constant for all ACS 5.x?
I'm trying to authorize managment access for HP ProCurve Manager via ACS RADIUS. But I get the failure: 15015 Could not find ID Store Machine is configured under Network Devices and AAA Clients, the sevice selection rule selects the correct access service, Access Service is Network Access, authorization profiles = permit access.
View 2 Replies View RelatedUsing Sha1 for Cisco 7925g and sha256 for data. Two separate CA's, one EnTrust (SHA1) the other Local Wondows CA (SHA256); ISE can only use one at a time to process a particular protocol (ie..EAP-TLS, HTTP, etc...) As a result we have to have a separate PSN just for Wireless and Wired VoIP (which can only hold SHA1 RSA1024).
View 5 Replies View RelatedSituation: I have a File server, name is \fileserver and ip address is: \192.168.1.254The shared drive on the server is split into 2 folders which are: Data and HomeI have 17 laptops which all connect to these folders via a group policy which maps the L: to Data and the H: to Home. On 4 of the laptops, for some reason I can't access the Home folder as I get an access denied message. I am the administrator and have full rights. On the other 13 laptops it works fine. I have found that if I try connecting using the IP address \192.168.1.254Home, it works fine.[CODE]
View 10 Replies View RelatedI am currently running cisco ACS 5.1.0.44 and use active directory as the main authentication identity store to allow network administrators to have access to network devices in my organization .As per the established security policies in my organization , the ACS has to disable any account after 3 failed login attempts to any network devices .i have gone through all the settings oN the acs but couldn't find where or how it is done .
View 3 Replies View RelatedI have a new Inspiron 7520 and having issues with connecting to my secure network. In trying to troubleshoot the issue, I've discovered I can connect to my network when the connection is unsecured. When its encrypted, my connection is only limited (no IP address assign). I've also downloaded and installed the latest drivers with no resolution to my issue.
PC and Network Specifics:
PC - Inspiron 7520Wireless Router = Netgear N600 - model WNDR3700Wireless Network - 2.4GHz b/g/n, WPA2-PSK [AES]
System - Windows 8, 64-bitWindows IP Configuration
[Code]......
Can operate simultaneously multiple external DB in ACS 4.2?Mutiful External DB server is AD and Token server
View 1 Replies View RelatedWe currently use ACS 4.2 for authentication of corporate users who are accessing the network in 2 different ways:
1) VPN client (via ASA5510)
2) Wireless (EAP-PEAP)
For all users who currently access the network via either of the above 2 methods, the Password Authentication under User Account settings in ACS is set to query an RSA SecurID Token Server.
We would like to try achieve the following in ACS:
IF an access request comes from the ASA (VPN clients), THEN we would like the user's password authentication to be handled by the RSA SecurID Token Server as it currently is. IF an access request comes from the Wireless LAN controllers THEN we would like to use EAP-TLS authentication. (We are aware that we would obviously need to configure the WLC, clients, PKI infrastructure etc accordingly for eap-tls).
I am working on project with Secure ACS 5.2. I am trying to determine the proper External Database to use. LDAP or direct to AD?
Additionally, the Domain that I am connecting to has Multiple sub domains. All of the users are currently in the Sub domains, but will be moving to root domain later. How should I configure the connection, do I need to connec to each sub domain or can I just connect to the root?
I've got a pair of Cisco ACS 4.2 servers running on our corporate LAN. Currently they are doing TACACS+ for the network gear, and wireless authentications for internal users.
We have contracted with an external web site for an application - They can run RADIUS from their site to our LAN for the user authentications. How can I best do this?
1. NAT the traffic on my ASA firewalls to the internal servers, send the RADIUS traffic to/from the external site?
2. Is this secure?
3. Should I have a RADIUS server in the DMZ instead?
4. Any issues with doing this on ACS 4.2?
We are currently using Cisco ACS 5.3.0.40.2. One of the Services Selection Policy it hosts is:
Receive Authentication request from a wireless controller for a wireless userIf the wireless user's username contains a particular domain suffix, the request is proxied to an external proxy server using an External Proxy service (configured for both local/remote accounting)On receiving an Acccess-Accept from the external proxy, the user is given access and ACS 5 will start logging account packets for the username (nothing appears in the RADIUS authentication logs - ACS 5 it seems doesn't log proxied authentication requests) The above setup works fine in most instances. We start to have problems when an external proxy server strips the domain suffix off the username in the Access-Accept packet e.g.
ACS 5 proxies an Access-Request to an external proxy server (with Username = someuser@somwhere.com)The external proxy replies with an Access-Accept (with Username = someuser)The user 'someuser' is given access but subsequent accounting attempts fail because their username (without the domain suffix) doesn't match the Service Selection PolicyIs there any way to get ACS 5.3 to log proxied authentication requests? If not, can I configure ACS 5.3 to use the username in the Access-Request packet (rather than the username in the Access-Accept packet) for accounting?
Is it possible to create on ACS5 rule which will:
1. Try to authenticate user in external database1 (radius)
2. When external database1 returns FAIL (because of bad password) ACS5 should try to authenticate user in another external database2 (radius)
Having CSACSE-1113-K9 with ACS 4.2.15.I want to configure windows user database under extrenal user database but i get an error (attached) 'An error has occured while processing the Authen DLL Configure pagebecasue an error occured.I tried to stop the services and start agian but the same issue. The eappliance is secondary (backup) ACS. On the primary it is working fine.
View 1 Replies View RelatedI have problem with Cisco ACS 4.0 "Windows" with core 4500 switch "cat4500-ENTSERVICESK9-M 12.2" the problem shows only on one device "x.x.x.x" the problem is " Authen failed-------badcred------External DB user invalid or bad password" i can see it in failed attempt. on the same side i can see in Passed Authentications for same record "Authen OK", i can login to the mentioned switch using my ACS credentials and not local database credentials
can debug this from ACS if not how can view the authentication records from core switch?
I have ACS4 and i am planning to upgrade to ACS5.I would like to have such a rules:I have user1, one ASA device which is VPN concentrator for remote users.ASA have two different tunnel-groups: one which allow for logging via certificate (with mandatory pki authorization thru ACS) with disabled Xauth,and second tunnel-group with allow login thru typical Xauth with authorization thru ACS which users external database (RSA Tokens).So i have one user1 which can login thru VPN using RSA tokencode or certificate.For example: on phone user1 uses certificate, and on PC station the same user1 uses token password.For tunnel-group with pki authorization ASA checks username in ACS and in typical scenario login="CN from certificate" and password="CN from certificate". So we would need "two credentials" for the user - one for pki authorization, and second one external database (RSA token).Is such scenatio possible under ACS 5 ? where one user uses different credentials based on tunnel-group usage ?
View 2 Replies View RelatedI reloaded XP on an old laptop I have, a Toshiba Satellite, and it works fine. Problem is when I try to connect to my wireless network, it comes up as being security protected...and it isn't...and never has been. I have other computers connecting just fine, but I can't seem to figure this one out. I don't have a key to enter as there isn't one! I installed a USB wireless adapter, and it works fine, but I don't want to use the adapter on the laptop.
View 6 Replies View RelatedHow can we check when we connect using VPN client software if traffic is getting encrypted ?
View 7 Replies View RelatedI am actualy trying to make a remote access VPN between a ISR1921 and Windows 7 pro. I already managed to put a PPTP VPN with an authentication against our LDAP databse via radius. But our password are in SHA1 in our LDAP, so I had to let the password unencrypted on the network using pap and this is bad.If I don't use pap, it simply doesn't work since all the other method need unencrypted password for the challenge authentication.Does that mean that every remote access VPN keep our password unencrypted ? Maybe use EAP (but I can't find a howto or good documentation about it)? Can I add a certificate or something?
View 1 Replies View RelatedIs it possible to configure an IPSEC GRE tunnel with RIP on an SRP527w? I see RIP, GRE & IPSEC are all possible.. But I'm not sure about them all together securing the GRE tunnel??
I basically want to do this with the SRW routers not native IOS. Single head end hub & spoke.
I've configured an ASA5505 to be Lan to Lan VPN tunnel endpoint, peering with a linux box. The ASA is full licensed so that side isn't an issue.PROBLEM:When the tunnel is initialised from the linux box everything comes up okay except the ASA isn't encapsulation any packets. It is decrypted the packets received from the Linux box okay but no return traffic is being encrypted.When the tunnel is initialised from the ASA, nothing happens.After some troubleshooting I've found that the ACL defining interesting traffic nor the ACL defining NO_NAT aren't being hit at all.
ACL for NO_NAT:
access-list NO_NAT line 1 remark ACL USED TO DEFINE WHAT TRAFFIC NOT TO NAT OVER THE VPN
access-list NO_NAT line 2 extended permit ip host PAMS_SERVER object-group LINUX-BOXES 0xc736d5fb
access-list NO_NAT line 2 extended permit ip host PAMS_SERVER 10.11.228.0 255.255.255.0 (hitcnt=0)
[code]....
I've checked with the administrator of the linux box and the definition for interesting traffic is exactly the same (except in reverse as should be the case).The firewall is doing other things like NATs and such like too but those NATs have nothing to do with this VPN. The setup is a LAN to LAN connection with no natting in between.The main parts of the config are attached, i've deleted things that should have a bearing on this however if you think it necessary i can sanitise the config and re-post. I think it will be working fine as long as the traffic hits those ACLs, however they're not and I'm unsure why.At this time i'm not seeing anything at all when doing an debug cry ipsec or debug cry isa. The ACL's aren't being hit so i'm guessing it's not even trying to form the VPN as it can't see any traffic that constitutes being 'interesting'.
I have
MLS : C6509-E
SUP : VS-S720-10G
PFC : VS-F6K-PFC3CXL
I'm trying to find out what is its limitation for encrypted traffic via SVTI there .
I don't have a SPA for the ip sec .
I'm on my first configuration of a Cisco firewall. I'm trying ASA 5505 using Cisco ASDM 5.2 (not GUI). I configured Vlan1 (inside) and Vlan2(outside) and all seems to work correctly. Network clients can use Internet and ping internal LAN. But I've some problems with vpn and other services: 1. when I try to connect to external VPN server the connection procedure stopped in username/password validation (if I try directly, without firewall ASA, there's no problem) 2.I've problems also to see external security cam working trough a web server. I open port 1723 - 500 and GRE. What can I do more?
View 4 Replies View RelatedHow WEP cracking works. I have a much better understanding now but it seems whatever programs I download and however close I get I always hit a wall somewhere. I am using windows 7 64 bit and my network adapters/cards are Broadcom 802.11n Network Adapter and Broadcom Netlink(TM) Gigabit Ethernet. I am not sure if these are adequate. I was using Commlink and aircrack but not sure if they are compatible and which versions i should have installed. I got as far as the collecting packets stage but the packets that appeared said ENCRYPT which was not correct and then my computer went to blue screen adn shut down and I had to system restore.
View 1 Replies View RelatedThe only way we can use our Motorola router is unencrypted. I have gone into the router numerous times and reset it, unplugged it, retyped the WEP key, tried to shift to WPA and nothing works. None of three computers in the house will connect unless all encryption is off. We live in a good neighborhood on a cul de sac, don't get a lot of traffic through here, and know the immediate neighbors, but nothing is stopping a stranger with a laptop from sitting on the street and using our wifi. I've talked to the Comcast tech. The trouble just seems to be our boxes won't get past the WEP encryption stage.
View 8 Replies View Related